Hello,
A while back (Oct 21st of 2008) Carl and I briefly discussed modifying
ACL.cpp to read SELinux contexts instead of the ACL files. Has anyone
given this any light? If not I'll whip up a prototype to see how the
two work together.
Thanks,
-Josh
In October 2008 Joshua Kramer wrote:
Hello All,
Here's an off the wall idea. Are there any use cases for making QPid a
part of the SELinux ecosystem?
There is currently a project called SE-Postgres. SE-Postgres allows one
to restrict access to rows, columns, and other database features based
on the SELinux restrictions assigned to the connected user.
Might we want to restrict access to QPid resources in the same way?
Cheers, -Josh
Josh,
I know the guys at freeIPA.org have discussed with me to take Qpid as a
dependency, and integrate the policy management. This would mean that
both Qpid and SELinux could be administered by the same policy server.
However I think you are thinking to maybe also have the ACL module get
it's asserts from SELinux. I believe that be quite easy and should be
quite quick to prototype and see if it has legs.
In cpp/src/qpid/acl you will find a plugin that implements AclModule.h
from the qpid/broker directory.
Basically you can copy & rename the acl directory SE-QpidAcl and
re-implement the following two functions to calls in Acl.cpp the SELinux
policy tests. SELinux asserts are complied policies so VERY,VERY fast.
I have marked with comments the two lines that would need to change to
call to SELinux + you will have to disconnect the file loading (not a
big deal to do)
virtual bool authorise(const std::string& id, const Action& action,
const ObjectType& objType, const std::string& name, std::map<Property,
std::string>* params=0); virtual bool authorise(const std::string& id,
const Action& action, const ObjectType& objType, const std::string&
ExchangeName,const std::string& RoutingKey);
bool Acl::authorise(const std::string& id, const Action& action, const
ObjectType& objType, const std::string& name, std::map<Property,
std::string>* params) { if (!aclValues.enforce) return true;
boost::shared_ptr<AclData> dataLocal = data; //rcu copy
// ------------- Call SELinux rather than the loaded file data
---------------------------- AclResult aclreslt =
dataLocal->lookup(id,action,objType,name,params);
return result(aclreslt, id, action, objType, name); }
bool Acl::authorise(const std::string& id, const Action& action, const
ObjectType& objType, const std::string& ExchangeName, const std::string&
RoutingKey) { if (!aclValues.enforce) return true;
boost::shared_ptr<AclData> dataLocal = data; //rcu copy
// ------------- Call SELinux rather than the loaded file data
---------------------------- AclResult aclreslt =
dataLocal->lookup(id,action,objType,ExchangeName,RoutingKey);
return result(aclreslt, id, action, objType, ExchangeName); }
Let me know if you need any help, and am very interested in the idea
Carl.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
